Landscape Server

Open redirection vulnerability

Bug #1929620 reported by Anton
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Landscape Server
Fix Released
High
Simon Poirier
Landscape Server 19.10.5

Bug Description

Open redirect is possible using request path /redirect?next_url=/\example.com.
This can be used to perform phishing campaigns in order to obtain landscape credentials, that further can be used to RCE on multiple endpoints registered in the victim's Landscape account.

CVE References

Revision history for this message
Anton (ivanovant) wrote :

landscape.is.canonical.com is also vulnerable, just try to open https://landscape.is.canonical.com/redirect?next_url=/\qweqweasdasdqweqwe.com

Simon Poirier (simpoir)
Changed in landscape:
status: New → Confirmed
importance: Undecided → Critical
importance: Critical → High
Revision history for this message
Anton (ivanovant) wrote :

Hello!

Thank for the update. Will you assign CVE for this bug?

Simon Poirier (simpoir)
Changed in landscape:
assignee: nobody → Simon Poirier (simpoir)
status: Confirmed → In Progress
Simon Poirier (simpoir)
Changed in landscape:
status: In Progress → Fix Committed
Revision history for this message
Anton (ivanovant) wrote :

Hi Simon!

Will you assign CVE for this bug?

Simon Poirier (simpoir)
Changed in landscape:
milestone: none → 19.10.5
Simon Poirier (simpoir)
Changed in landscape:
status: Fix Committed → Fix Released
Anton (ivanovant)
information type: Private Security → Public
Alex Murray (alexmurray)
information type: Public → Public Security
Revision history for this message
Mark Esler (eslerm) wrote :

Thank you for reporting this vulnerability Anton.

Please refer to this vulnerability as CVE-2023-32551.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.